Heads-up on the red Simple (17) check: it's failing at the actions/checkout@v5 step on the self-hosted runner — fatal: unable to access 'https://github.com/apache/iotdb/': gnutls_handshake() failed: The TLS connection was non-properly terminated (git exit 128) — i.e. before any build runs. That's a runner-side network/TLS issue, not this PR: the change is documentation-only (THREAT_MODEL.md + SECURITY.md + the AGENTS.md/CLAUDE.md Security section) and the rest of CI is green. A re-run reproduced it identically, so the runner likely needs a restart/repair. Flagging so the red isn't read as a defect in the PR.

Thanks for preparing this. Speaking as an IoTDB PMC member, I think this is a useful v0 draft and a good starting point for the PMC to own and refine. I agree with the approach of keeping inferred claims explicit and promoting them as the PMC confirms or corrects them.

A few points I can confirm or suggest clarifying from the current project behavior/configuration:

1. Deployment posture: IoTDB should generally be treated as operator-deployed infrastructure. My suggested wording is trusted-network-by-default, with the client RPC surface as the main in-model boundary. Direct public exposure, especially with default credentials, should not be considered a supported production posture.

2. Default root:root: the default administrator account/password exists for initial setup and local getting-started use. It should be documented as a must-change before production use or exposure outside a trusted environment, not as a supported production posture.

3. REST/MQTT defaults: both REST and MQTT are disabled by default in the current config:

   • enable_rest_service=false
   • enable_mqtt_service=false

4. Client Thrift SSL is available but disabled by default:

   • enable_thrift_ssl=false

5. Extension/server-side execution: USE_UDF, USE_TRIGGER, USE_PIPE, and USE_MODEL are system privileges and are grantable privileges, not strictly root/admin-only operations. My suggested security-model interpretation is that principals granted these privileges are trusted for the corresponding server-side execution capability. RBAC is the authorization boundary here, not a sandbox.

6. Resource/DoS line: I would distinguish malformed/pre-auth/client input causing crashes, OOMs, deadlocks, or clearly unbounded behavior from ordinary expensive queries or write load. The former should remain in-model security-relevant behavior; the latter is generally an operator capacity/resource-management concern unless there is a specific bug such as super-linear amplification, missing limits where limits are expected, or a hang.

For inter-node trust, Byzantine peer assumptions, and the exact wording of the long-term triage policy, I think it is reasonable to keep them as explicit open questions and settle them through follow-up PMC discussion rather than trying to finalize the whole threat model in this PR.

So overall: I support using this PR as the initial draft, with the current defaults and privilege model above folded into the document where appropriate.

Thanks @HTHou — pushed a revision folding in your review:

• Trusted-network-by-default posture, with the authenticated client RPC surface as the main in-model boundary; direct public exposure (esp. with default creds) noted as not a supported posture.
• Default root:root documented as must-change-before-production (OUT-OF-MODEL: non-default-build), not a supported posture.
• Defaults reflected: REST off, MQTT off, client Thrift SSL off.
• USE_UDF / USE_TRIGGER / USE_PIPE / USE_MODEL framed as grantable system privileges — principals holding them are trusted for that server-side execution; RBAC is the boundary, not a sandbox (UDF-RCE = BY-DESIGN).
• DoS line split: malformed/pre-auth input causing crash/OOM/hang is in-model; ordinary expensive queries / write load are operator capacity (out-of-model unless super-linear amplification / missing-expected-limit / hang).

Per your note, I kept inter-node trust, the Byzantine-peer assumption, and the long-term triage policy as explicit §14 follow-up items rather than finalizing them here. Ready as the initial draft whenever you're set.

Thanks @JackieTien97 — exactly the confirmation pass the v0 needed. All eleven points plus the two corrections are folded into the branch; responding individually:

Wave 1

1. Deployment posture — confirmed; §2/§4/§7 already carried this from @HTHou's pass, now reinforced. §14.1 resolved.
2. Default root:root — confirmed OUT-OF-MODEL: non-default-build; §5a/§10/§11a/§13 unchanged, §14.2 resolved.
3. TsFile / SDK boundary — promoted §3 + §14.3 from (inferred) to (maintainer): TsFile findings route to apache/tsfile; iotdb-client-* SDKs out of this batch.

Wave 2
4. Default-enabled protocols — confirmed (Thrift on; REST/MQTT off); already maintainer-tagged, §14.4 resolved.
5. Inter-node channel — the big open one. Rewrote §4 (secondary boundary + reachability rule), §6, §9, §14.5: inter-node assumed trusted-network, no transport encryption today, interception/modification findings → OUT-OF-MODEL: adversary-not-in-scope, operators own segmentation (§10). Now (maintainer).
6. TLS — §5a + §9 + §14.6: client Thrift SSL off by default, no inter-node TLS today. Promoted.

Wave 3
7. Extension code execution — confirmed BY-DESIGN for a principal holding USE_UDF/USE_TRIGGER/USE_PIPE/USE_MODEL; §9/§11a/§13 unchanged (maintainer from @HTHou), §14.7 resolved.
8. Cluster Byzantine posture — rewrote §7 + §14.8: membership fully trusted, no BFT claim, no safety/liveness guarantee against an authenticated-but-malicious peer. Promoted.

Wave 4
9. Resource/DoS line — confirmed, incl. the carve-out: malformed/pre-auth/client input causing crash/OOM/hang stays VALID (§8); ordinary expensive queries/write-load are operator capacity. §14.9 resolved.
10. No additional false positives — noted; §14.10 resolved (no §11a additions).
11. Canonical location — confirmed in-repo (AGENTS.md → SECURITY.md → THREAT_MODEL.md), PMC owns revisions; §14.11 resolved, §1 status updated.

Corrections

• §5 clock — fixed: server-side time ordering does not assume monotonic/synchronized clocks across the cluster. Now (maintainer).
• AGENTS.md symlink — added a note to the PR description: AGENTS.md is a symlink to CLAUDE.md here, so the ## Security section landing in CLAUDE.md is intentional and the chain resolves.

With your pass and @HTHou's folded in, §2–§13 are PMC-confirmed and §14 is fully resolved — residual (inferred) tags are limited to low-stakes environmental details. Re-requesting your review; happy to iterate on any wording.